Sunday

23rd Jul 2017

Restaurants and hotels worried by EU data bill

  • Small business such as hotels oppose the European Parliament's draft data bill (Photo: Biblioteca de Arte / Art Library Fundação Calouste Gulbenkian)

Small businesses such as bed and breakfasts or cafes will have to hire a data protection officer (DPO) under new rules currently being fine-tuned by the European Parliament.

The parliament says any business that has 500 or more clients a year will require a data protection office to make sure data is secured and laws are being followed.

Thank you for reading EUobserver!

Subscribe now and get 40% off for an annual subscription. Sale ends soon.

  1. €90 per year. Use discount code EUOBS40%
  2. or €15 per month
  3. Cancel anytime

EUobserver is an independent, not-for-profit news organization that publishes daily news reports, analysis, and investigations from Brussels and the EU member states. We are an indispensable news source for anyone who wants to know what is going on in the EU.

We are mainly funded by advertising and subscription revenues. As advertising revenues are falling fast, we depend on subscription revenues to support our journalism.

For group, corporate or student subscriptions, please contact us. See also our full Terms of Use.

If you already have an account click here to login.

But small and medium-sized businesses (SMEs) say this is an unwelcome additional expense in an economy where many are struggling.

The European Commission in its impact assessment report estimates that an SME would have to pay around €1,000 extra each year to have someone ensure protocol is met.

The commission had proposed exempting businesses with fewer than 250 employees from having to hire a DPO, but parliament scrapped the exemption and introduced the 500 clients threshold.

“The commission made an exception for SMEs and they had a reason for that,” said Marta Machado, a policy advisor at the Brussels-based Hortrec, an umbrella organisation for hotels, restaurants, and cafes in Europe.

An average SME in Europe has less than 16 employees. Many others have only one person.

German Green Jan Philipp Albrecht, the lead negotiator on the file at the European Parliament, amended the commission’s draft to include any business with at least 500 or more clients or "data subjects."

A data subject is anyone who has their data processed. Reservation dates, names, addresses and credit card details are among the data a hotel uses to process information on its clients.

Keeping those details in check and making sure they are properly secured is among the tasks of a DPO.

But Dora Szentpaly-Kleis, a legal advisor at the Brussels-based European Association of craft, small and medium-sized enterprises (Ueampe), told this website: “Our problem is not that he [Albrecht] changed the approach because it might make sense to link the number to the data subject but we have the impression that the 500 is a very low number.”

“How did they assess this number because there was no interaction on this issue between the rapporteur and us,” says Szentpaly-Kleis.

A parliamentary source familiar with the file said the number "was open to negotiation."

Germany only member state with data protection officers

Germany is the only member state that currently requires a DPO.

For almost 30 years, any company with at least five employees had to hire an outside consultant to review how personal data was handled. The employee threshold was raised to 10 in 2006 after a legislative reform on data protection.

Werner Hulsmann, a Bonn-based data protection officer who has been working as a freelance DPO since 2004, agrees there are some costs to small businesses but risk of a data breach or violation decreases.

The German experience is varied according to company type, size and whether or not it has locations in other countries.

A 2012 survey by the Bonn-based consultancy firm 2B Advice GmbH found that businesses with up to 50 employees spend just over €1,000 per year on a DPO. Cost increases to over €660,000 for companies with more than 50,000 employees.

The survey assessed 375 German companies, including 90 multinationals.

It noted that a large percentage of data violations come from simple negligence like leaving documents in a printer. Unsecured and unencrypted IT was another weakness. The unlawful processing of personal data was less frequently cited as a violation.

The survey also found that over 38 percent of all in-company data privacy officers do not feel sufficiently well informed well informed about data privacy violations within the company.

“It doesn’t matter how many people or employees work on personal data, they have to accept and follow the rules of data protection,” says Hulsmann.

Focus

The Acta debate - will innovation be stifled?

Opponents of Acta, the controversial anti-counterfeiting treaty up for vote in the European Parliament in July, say, among other things, that it would stifle innovation. Advocates say the exact opposite.

Greece to get €7.7bn loan next week

The ESM, the eurozone emergency fund, agreed on Friday to unblock a new tranche of aid as part of the bailout programme agreed upon in 2015.

EU and Japan agree on free trade

Japanese prime minister and EU leaders to endorse major trade deal on Thursday in anti-protectionist message to Trump.

EU and Japan closing in on trade deal

[Updated] The EU and Japan edge closer to securing a free trade deal on Thursday, ahead of the G20 summit at the end of the week where US protectionism will be an issue.

Opinion

Greece needs a new plan

Two years into its third bailout, Greece needs to combine the necessary fiscal targets with a new vision. This can be done in the context of the ongoing industrial revolution.

Opinion

Ceta and pesticides: A citizens' rights issue

The trade agreement with Canada will begin to apply on 21 September. But there is still a potential conflict on the right to data protection vs. the right to access information.

News in Brief

  1. Polish parliament adopts controversial justice reform
  2. GMO opt-out plan unlikely to go anywhere in 2017
  3. Slovak PM threatens to boycott inferior food
  4. France takes Google's 'right to be forgotten' to EU court
  5. Turkey accuses German companies of supporting terror
  6. Israel's Netanyahu caught calling EU 'crazy'
  7. UK does not collect enough data to expel EU nationals
  8. Polish president threatens to veto justice reform

Stakeholders' Highlights

  1. European Jewish CongressJean-Marie Le Pen Faces Trial for Oven Comments About Jewish Singer
  2. ACCAAnnounces Belt & Road Research at Shanghai Conference
  3. ECPAFood waste in the field can double without crop protection. #WithOrWithout #pesticides
  4. EU2017EEEstonia Allocates €1 Million to Alleviate Migratory Pressure From Libya in Italy
  5. Dialogue PlatformFethullah Gulen's Message on the Anniversary of the Coup Attempt in Turkey
  6. Martens CentreWeeding out Fake News: An Approach to Social Media Regulation
  7. European Jewish CongressEJC Concerned by Normalisation of Antisemitic Tropes in Hungary
  8. Counter BalanceOut for Summer Episode 1: How the EIB Sweeps a Development Fiasco Under the Rug
  9. CESICESI to Participate in Sectoral Social Dialogue Committee on Postal Services
  10. ILGA-EuropeMalta Keeps on Rocking: Marriage Equality on Its Way
  11. European Friends of ArmeniaEuFoA Director and MEPs Comment on the Recent Conflict Escalation in Nagorno-Karabakh
  12. EU2017EEEstonian Presidency Kicks off Youth Programme With Coding Summer School

Latest News

  1. Dutch coalition talks lengthiest in 40 years
  2. Polish parliament steps up showdown with EU
  3. EU urges UK to clarify its Brexit positions
  4. Law expert: direct EU powers have become too complicated
  5. Winter is here for Spitzenkandidat, but he'll survive
  6. Mafia money pollutes the EU economy
  7. Central Europe should be wary of Brexit stopping
  8. Poland's 'July coup' and what it means for the judiciary